Do not publicly disclose a vulnerability for at least 30 days.
To report a vulnerability, email em@emsa.cf and expect a response within 30 days. If the matter cannot be privately resolved, make a pull request to put the platform into maintenance mode and then make a GitHub issue to resolve it with others.